Re: Alternative to red.uribl.com?

[Brian Wilson]

On Apr 6, 2007, at 2:12 AM, Bill Landry wrote:
ram wrote the following on 4/5/2007 10:23 PM -0800:
On Wed, 2007-04-04 at 08:11 -0700, Bill Landry wrote:

ram wrote the following on 4/4/2007 12:56 AM -0800:

On Tue, 2007-04-03 at 13:15 -0700, Bill Landry wrote:


Dave Pooser wrote the following on 4/3/2007 11:19 AM -0800:


I'm seeing a bunch of spam using URLs from domains created on  
the same day
or in the past day or two. I don't know how red.uribl.com  
works, but I
imagine it missed the same-day stuff because its automated  
process needs
time to work. Is there a better way to handle this-- possibly  
pulling the
information from whois during mail processing? (Although that  
would be
resource-intensive and would probably run afoul of their  
prohibition on
high-volume querying, so that's probably a lose.)



Maybe have a look at using "The Day Old Bread List" DNSRBL?   
More info
at http://support-intelligence.com/dob/



This seems to be a intelligent idea. Can I subscribe to their  
DOB lists
alone.

What are the zones to query ?


No subscription necessary to use the DNSRBL service.  Here is how  
I've
been using their list with SA:

header __RCVD_IN_DOB    eval:check_rbl('dob',
'dob.sibl.support-intelligence.net.', '255')
describe __RCVD_IN_DOB  Received via relay in new domain (Day Old  
Bread)
tflags __RCVD_IN_DOB    net
score __RCVD_IN_DOB     0

header RCVD_IN_DOB      eval:check_rbl_sub('dob', '127.0.0.2')
describe RCVD_IN_DOB    Received via relay in new domain (Day Old  
Bread)
tflags RCVD_IN_DOB      net
score RCVD_IN_DOB       1.667

header DNS_FROM_DOB
eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
describe DNS_FROM_DOB   Sender from new domain (Day Old Bread)
tflags DNS_FROM_DOB     net
score DNS_FROM_DOB      1.334

urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net  A   
127.0.0.2
body URIBL_RHS_DOB      eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB  Contains an URI of a new domain (Day Old  
Bread)
tflags URIBL_RHS_DOB    net
score URIBL_RHS_DOB     2.75



Is this zone alive ??

I put this is my local.cf since yesterday. Havent seen a single hit

urirhssub URIBL_RHS_DOB         dob.sibl.support-intelligence.net   
A   2
body URIBL_RHS_DOB              eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB          Contains an URI of a new domain  
(Day Old Bread)
score URIBL_RHS_DOB  1.0


Thanks
Ram

Yep, it's alive.  I got 56 hits on URIBL_RHS_DOB on one of my servers
today.  Try copying what I originally sent to the list instead of your
modified version.

Bill


I can also confirm Bill's unmodified version works like a charm. 8  
hits on my single mailbox since yesterday.

Brian